Re: [PATCH net v5] bpf, net: Fix a potential race in do_sock_getsockopt()
From: Stanislav Fomichev
Date: Fri Aug 30 2024 - 23:29:23 EST
On 08/30, Tze-nan Wu wrote:
> There's a potential race when `cgroup_bpf_enabled(CGROUP_GETSOCKOPT)` is
> false during the execution of `BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN`, but
> becomes true when `BPF_CGROUP_RUN_PROG_GETSOCKOPT` is called.
> This inconsistency can lead to `BPF_CGROUP_RUN_PROG_GETSOCKOPT` receiving
> an "-EFAULT" from `__cgroup_bpf_run_filter_getsockopt(max_optlen=0)`.
> Scenario shown as below:
>
> `process A` `process B`
> ----------- ------------
> BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN
> enable CGROUP_GETSOCKOPT
> BPF_CGROUP_RUN_PROG_GETSOCKOPT (-EFAULT)
>
> To resolve this, remove the `BPF_CGROUP_GETSOCKOPT_MAX_OPTLEN` macro and
> directly uses `copy_from_sockptr` to ensure that `max_optlen` is always
> set before `BPF_CGROUP_RUN_PROG_GETSOCKOPT` is invoked.
>
> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
> Co-developed-by: Yanghui Li <yanghui.li@xxxxxxxxxxxx>
> Signed-off-by: Yanghui Li <yanghui.li@xxxxxxxxxxxx>
> Co-developed-by: Cheng-Jui Wang <cheng-jui.wang@xxxxxxxxxxxx>
> Signed-off-by: Cheng-Jui Wang <cheng-jui.wang@xxxxxxxxxxxx>
> Signed-off-by: Tze-nan Wu <Tze-nan.Wu@xxxxxxxxxxxx>
Acked-by: Stanislav Fomichev <sdf@xxxxxxxxxxx>